Tailored bright illumination attack on distributed-phase-reference protocols 
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Detector control attacks on quantum key distribution systems exploit the linear mode of avalanche 
photodiode in single photon detectors. So far, the protocols under consideration have been the 
BB84 protocol and its derivatives. Here we present how bright tailored illumination exploiting the 
linear mode of detectors can be used to eavesdrop on distributed-phase-reference protocols, such as 
differential-phase-shift and coherent-one-way. 
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I. INTRODUCTION 

Quantum mechanics theoretically allows two parties, 
Alice and Bob, to grow a private, secret key, even if the 
eavesdropper Eve can do anything permitted by the laws 
of nature [H-lJl- The field of quantum key distribution 
(QKD) has evolved rapidly in the last two decades, with 
transmission distances reaching 250 km in the laboratory 
0, and commercial QKD systems available from several 
vendors [1]. 

Even though QKD can be proved secure in theory 
0, 0, 0] J the implementations may contain loopholes al- 
lowing side-channel attacks. In fact, many such side- 
channel attacks have been identified and countered, ei- 
ther by modifying the implementation, generalizing the 
security proof, or both ^8rj22j . The discoveries of im- 
plementation loopholes does not prove the insecurity of 
QKD, but rather its maturity. Scrutinizing the imple- 
mentations is a vital step to achieve satisfactory security 
in practical QKD. 

Recently the detector control attacks [23l - l28| exploit- 
ing the linear mode of avalanche photodiodes (APDs) 
received considerable attention. This class of attacks 
stands out from previous attacks since they allow the 
eavesdropper Eve to copy the full key, while not being 
revealed by monitored parameters, such as the quan- 
tum bit error rate. Furthermore, the attacks are imple- 
mentable with current technology. The loophole has been 
identified in two commercial QKD systems [l^], and the 
full attack has been demonstrated under realistic con- 
ditions on an experimental QKD setup [13]. Further- 
more, it has been proved possible to keep the APDs in 
the linear mode thr oug h blinding illumination for both 
passively-quenched [Ij, [l^ , actively-quenched and 
gated APDs j23 - [26j through a variety of techniques. 

So far these bright illumination detector control at- 
tacks have been considered on the Bennett-Brassard 1984 
(BB84) protocol and its derivatives with similar im- 
plementations, such as the Scarani-Acin-Ribordy-Gisin 
2004 (SARG04)_[2pL Ekert (2, six-state [Miii, and de- 
coy protocols Here we present how to exploit 



the linear mode of the detectors in distributed-phase- 
reference protocols such as difFerential-phase-shift (DPS) 
[H Hi] and coherent-one-way (COW) [sS, IHl to trace- 
lessly eavesdrop the full raw and secret key. 



II. EAVESDROPPING ON LINEAR 
DETECTORS 

For the distributed-phase-reference protocols consid- 
ered here, the implementation of Bob is 'passive' in the 
sense that Bob does not use a modulator that introduces 
randomness into his detection system (similarly to pas- 
sive vs. active basis choice in the BB84 protocol [39|). 
Detector control is easier for passive implementations, 
since Eve does not have to deal with different possibilities 
associated with Bob randomly selecting a measurement. 

In a detector control attack. Eve measures the states 
from Alice using a copy of Bob's measurement device 
(Bob') to obtain a detection event. Eve resends a bright 
trigger pulse targeting the detectors operated in the lin- 
ear mode, and in a successful attack it causes the ex- 
act same detection event in Bob's measurement device 
(see Fig. [1]). Since Eve uses a copy of Bob, Bob's detec- 
tion statistics will be indistinguishable from the detection 
statistics he obtains without any eavesdropper. There- 
fore, Alice's and Bob's data will not reveal the eaves- 
dropper. Furthermore, since Eve has an exact copy of 
Bob's detection results, the details of the protocol are 
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FIG. 1. Scheme of a detector control attack: Eve measures the 
states from Alice using a copy of Bob's measurement device 
(Bob') to obtain a detection event. She then uses a faked- 
state generator (FSG) to generate a bright pulse tailored 
to cause the same detection event in Bob. 
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irrelevant: the security is broken for any classical post- 
processing since Eve can listen to the classical channel 
and perform the same post-processing on her copy of the 
detection results. Therefore, the challenge in a detector 
control attack is to find a way to make arbitrary detec- 
tion events in Bob's measurement device, given that the 
detectors are accessible in the linear mode. 

If the detectors are gated, it may be possible to access 
them in the linear mode simply by sending the bright 
states after the gate [1^. Otherwise it might be neces- 
sary to blind the detectors, either with continuous illumi- 
nation [23, HE] or different types of modulated blinding 

MM- 

Regardless of how the linear mode is obtained, the de- 
tectors have similar characteristics and have two impor- 
tant parameters: Pnovcr is the maximum trigger pulse 
power which never causes a click in any detector, and 
^always IS the minimum trigger pulse power which always 
causes a click in an arbitrary detector. For BB84 
SARG04 dij and decoy-protocols M^ the require- 
ment for perfect detector control attacks is given by [23 | 



always 



< 2Pn 



(1) 



Note that both Pncvor and Paiways seem to increase with 
higher blinding illumination 24| . 
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III. DIFFERENTIAL-PHASE-SHIFT 
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FIG. 2. Detector control in a DPS implementation: Eve's 
FSG consists of a laser source producing a train of coherent 
pulses with amplitude Paiways, and a phase modulator (PM). 
Eve controUably causes identical detection events in Bob by 
an appropriate phase if in each pulse. No trigger pulse is 
applied to the left of the diagram, nor in the first slot. 



in the quantum channel or detector deadtime. Eve can 
relax the requirement ([T]) further. Then she does not send 
a train of pulses, but rather for each detection event she 
sends two pulses with the appropriate phase difference. 
Then Paiways /4 hits the detectors in the slots before and 
after the detection event. 

If blinding is necessary, one can use a blinding light 
source with a coherence length less than the length dif- 
ference of the interferometer arms to illuminate both de- 
tectors equally. 



The upper right of Fig. El sh ows Bob's measurement 
device in the DPS protocol |35l. l36j , consisting of an un- 
balanced Mach-Zehnder interferometer and one detector 
for each bit value. The length difference of the arms in 
the interferometer matches the time difference between 
two adjacent pulses sent by Alice. Alice sends a train 
of coherent pulses and uses the phase difference between 
two adjacent pulses to encode the two different bit val- 
ues: phase difference corresponds to the bit value and 
TT phase difference corresponds to the bit value I. 

For the DPS protocol. Eve's faked-state generator 
(FSG) is simply a copy of Ahce's optical scheme, but 
the coherent pulses are brighter with amplitude Paiways- 
As we will see, the requirement for the detection thresh- 
olds is the same as for the BB84 family of protocols, 
given by Eq. [TJ Assuming suitable detection thresholds, 
an arbitrary detector at Bob in slot k can be triggered 
by selecting the phase difference (pk — V'fc-i- 

{{N + f/2)7r causes a vacuum event, 
2Ntt causes a click in DO, 

(2iV -I- 1)t: causes a click in Dl, 

where N is an integer (see Fig. [5]). Since Paiways/2 hits 
each detector for vacuum events, the requirement for per- 
fect eavesdropping is given by Eq. ([1]). 

If Bob accepts at least two vacuum events between ev- 
ery detection event, for instance due to low transmission 



IV. COHERENT-ONE-WAY 

The upper right of Fig. |3] shows Bob's measurement 
device in the COW protocol [13, H^, consisting of a 
fiber-optic coupler or a beam-splitter with splitting ratio 
t_B : (1 — ^b), followed by a detector Db to generate secret 
key. The other output of the fiber-optic coupler leads to 
an unbalanced interferometer identical to the one in the 
DPS protocol. It has two monitoring detectors Dmi and 
Dm2 to check for eavesdropping, by checking the coher- 
ence of adjacent pulses. To generate key, Alice sends a 
train of pulses which are grouped in pairs. In each pair, 
the slot absent of a pulse determines the bit value of the 
key. The exact details of the protocol are irrelevant, as 
long as Eve can transparently mirror her detection events 
onto Bob's detectors. 

As we will see, for perfect eavesdropping against COW, 
it is necessary for Eve to obtain different trigger pulse 
thresholds for the data detector Db, and the monitor- 
ing detectors Dmo and Dmi- -Paiways.B and Pncvor,B are 
the thresholds for the data detector while Paiways, m and 
-^ncvcr are the thresholds for the monitoring detectors. 

The monitoring detectors have exactly the same setup 
as for DPS, and therefore they can be controlled as de- 
scribed in the previous section. However, since only 
(I — ts) of the trigger pulse power enters the interfer- 
ometer of the monitoring detectors, the amplitude of 
the pulse train must be increased to Paiways.M/(l — ts)- 
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For perfect control, it is important that the iUumination 
which enters the other arm does not trigger the data de- 
tector. This requires that 



r. 



tf 



-P. 



always, M 



never, B • 



(2) 



The data detector can be triggered by increasing the am- 
phtude of the trigger pulse to -Paiways.e/^s- Then how- 
ever, it is crucial that the monitoring detectors are not 
triggered. To minimize the illumination on the moni- 
toring detectors, phase difference is set to tt/2, and the 
threshold requirement is given by 



1-tB 

tB 



always.B 



< 2R 



never, Ml 



(3) 



where the factor 2 represents that the illumination is split 
between the two monitoring detectors, just as the factor 
appearing in Eq. ([1]). Again, if there are at least two 
vacuum events between every detection event, the factor 
2 can be replaced by 4. Furthermore, some COW imple- 
mentations use only one monitoring detector l4l| . In 
that case the requirement can be relaxed even fur- 
ther, since most of the illumination can be directed to 
the unused interferometer output during vacuum events. 

To see what the requirements ^ and ^ means in 
practice, they can be rewritten to 



,B > 



tB 



l-tB 



-p. 



always,M ? 



always,B 



< 2- 



l~tB 



never, M- 



(4a) 



(4b) 



Now let us assume the reasonable values [2J, |25[ 
-Pncvcr.M = 400 |J.W, and that Paiways.M = 500 |xW for the 
monitoring detectors. Table |T] lists different constraints 
on the data detector thresholds for various values of t^, 
where tn= 0.5 and Ib = 0.9 have been reported in exper- 
iments [allSlili- With tB close to 1, the thresholds for 
the data detector must be very much higher than for the 
monitoring detectors. If blinding illumination is applied, 
the data detector will receive a larger fraction of the il- 
lumination which would usually cause higher thresholds 
[24i] than for the monitoring detectors. If a fiber-optic 
coupler is used. Eve may increase the threshold differ- 
ence even further by using a blinding wavelength outside 
the working range of the coupler, blinding the data detec- 
tor even deeper (42j . In the implementations with only 



TABLE I. Data detector thresholds for various values of 



tB, given by Eq. g] for Pncvor.M 
500 M-W. 
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FIG. 3. Detector control in a COW implementation: Eve's 
FSG consists of a laser source producing a train of coher- 
ent pulses, an intensity modulator (IM) and a phase modula- 
tor (PM). The lower part of the figure shows an example of 
detector control, where the system parameters are assumed 

to be tB = 0.5, Pnevcr.M = 400 JiW, Palways.M = 500 JiW, 

f'novcr.B = 600 jiW and Paiways.B = 750 jiW. The dashed 
lines in the diagram are the detector thresholds. Eve con- 
troUably causes identical detection events in Bob by an ap- 
propriate phase VP and ampfitude in each pulse. The trigger 
pulse amplitude is 2Paiways,M = 1000 viW, and is increased to 
2-Paiways,B = 1500 jiW to trigger the data detector. No trigger 
pulse is applied to the left of the diagram, nor in the first slot. 



one monitoring detector. Eve can control the amount of 
blinding illumination at it independently from the data 
detector, by splitting the blinding illumination arbitrarily 
between the output ports of the interferometer. However, 
how much higher thresholds it is possible to achieve for 
the data detector than the monitoring detectors remains 
an open question. Note that for values oUb close to 1, 
it should be straightforward for Eve to trigger the data 
detector while keeping the monitoring detectors silent. 
Therefore, it is important to check for the absence of 
clicks in the monitoring detectors. 

Eve's FSG is nearly a copy of Alice's optical scheme; 
in addition it includes a phase modulator to control 
the monitoring detectors. Eve emits a train of coher- 
ent pulses with amplitude Paiways,M/(l — is)- To make 
the data detector click, the amplitude is increased to 
^aiways.B/^B- One of the monitoring detectors in slot 
k can be triggered by selecting the phase difference 

{{N+1/2)tt causes a vacuum event, 
2A^7r causes a click in Dm2, 

(2iV + l)7r causes a click in Dmi, 

where is an integer. Since the data detector and the 
monitoring detectors are controlled independently, it is 
straightforward to cause a simultaneous click in the data 
detector and one of the monitoring detectors. Figure [3] 
shows Eve's FSG, and an example of detector control. 
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V. DISCUSSION AND CONCLUSION 



We have derived the requirements ([T]) and (jj]) for a per- 
fect attack on DPS and COW assuming that Eve must 
introduce a chck deterministically in Bob. However, if 
the hue between Ahce and Bob is lossy, Eve might place 
her Bob' closer to Alice, and receive more detections than 
Bob would expect. To simulate this loss, instead of ap- 
plying Paiways, Evc Can rcducc the power in the trigger 
pulses to a level which triggers the detector with a prob- 
ability equal to the expected transmittance. This relaxes 
the requirements ^ and (j4]). 

Since the detector threshold requiremen t (|T1 ) has been 
obtained using numerous techniques |24|-t26|. the DPS 
protocol is obviously vulnerable to the bright illumina- 
tion attack. For the COW protocol, the requirements ^ 
on the detector thresholds depend on the splitting ra- 
tio between the data and monitoring detectors. Routing 
more light to the data detector increases the required dif- 
ference in detection thresholds. It remains an open ques- 
tion for which splitting ratios suitable detector thresh- 
olds can be obtained. However, it seems that the bright 
illumination attacks represent a significant threat to the 



security of the COW protocol, and all subsequent imple- 
mentations should be investigated thoroughly. 

While several countermeasures have been proposed 
[23l - l27i l43j . none of them have been proved secure [13] 
to our knowledge. The same countermeasures should ap- 
ply to the distributed-phase-reference protocols. A fre- 
quently mentioned countermeasure is a power meter at 
Bob's entrance. As long as this countermeasure has not 
been proven secure, it has to be considered insufficient 
[2^|4J|. Nevertheless, it makes life harder for Eve. 

We have shown that distributed-phase-reference pro- 
tocols DPS and COW are vulnerable to bright tailored 
illumination attacks. This emphasizes the generality of 
these attacks, and demonstrates the importance of scru- 
tinizing all implementations and protocols thoroughly, as 
this is a vital step for obtaining suitable practical security 
for QKD. 
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